Connected accounts 1 (#27)

* adding microsoft login for connected accounts

* CA & TV continued

* CA & TV with cli working

* FCAT with access_token

Author: abbaspour

readme.md

@@ -802,6 +802,6 @@ Sample access_token. `org_id` is nullable for donors.
 | 08 | [s-08.txt](./videos/08/s-08.txt) | [s-08.mp4](./videos/08/s-08.mp4) | Donor    | Bulk import & Forms               |
 | 09 | [s-09.txt](./videos/09/s-09.txt) | [s-09.mp4](./videos/09/s-09.mp4) | Donor    | MCD                               |
 | 10 | [s-10.txt](./videos/10/s-10.txt) | [s-10.mp4](./videos/10/s-10.mp4) | Donor    | User events                       |
-| 11 | [s-11.txt](./videos/11/s-11.txt) | [s-11.mp4](./videos/11/s-11.mp4) | Business | Connected Account                 |
+| 11 | [s-11.txt](./videos/11/s-11.txt) | [s-11.mp4](./videos/11/s-11.mp4) | Business | Token Vault, Connected Account    |
 | 12 | [s-12.txt](./videos/12/s-12.txt) | [s-12.mp4](./videos/12/s-12.mp4) | Business | CIBA                              |
 | 13 | [s-13.txt](./videos/13/s-13.txt) | [s-13.mp4](./videos/13/s-13.mp4) | Both     | Closing thoughts                  |

tf/02-donor-website.tf

@@ -125,18 +125,26 @@ resource "auth0_client" "donor" {
   }
 
   organization_usage = "deny"
+
+  grant_types = [
+    "authorization_code",
+    "password",
+    "http://auth0.com/oauth/grant-type/password-realm",
+    #"urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token",
+  ]
 }
 
 # donor cli client
 resource "auth0_client" "donor-cli" {
   name            = "Donor CLI"
   description     = "Donor CLI client"
-  app_type        = "spa"
+  app_type        = "regular_web"
   oidc_conformant = true
   is_first_party  = true
 
   callbacks = [
-    "https://donor.${var.top_level_domain}"
+    "https://donor.${var.top_level_domain}",
+    "https://jwt.io"
   ]
 
   allowed_logout_urls = [
@@ -148,13 +156,20 @@ resource "auth0_client" "donor-cli" {
   }
 
   grant_types = [
+    "implicit",
     "password",
-    "http://auth0.com/oauth/grant-type/password-realm"
+    "http://auth0.com/oauth/grant-type/password-realm",
+    "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token",
+    "refresh_token"
   ]
 
   organization_usage = "deny"
 }
 
+output "donor-cli-client-id" {
+  value = auth0_client.donor-cli.client_id
+}
+
 # Generate auth config file for donor SPA
 resource "local_file" "donor_auth_config_json" {
   filename = "${path.module}/../donor/spa/public/auth_config.json"

tf/03-social-login.tf

@@ -117,19 +117,6 @@ resource "auth0_connection_clients" "linkedin-clients" {
   ]
 }
 
-## Google Social
-data "auth0_connection" "google-oauth2" {
-  name = "google-oauth2"
-}
-
-
-resource "auth0_connection_clients" "google-clients" {
-  connection_id = data.auth0_connection.google-oauth2.id
-  enabled_clients = [
-    //auth0_client.donor.client_id,
-  ]
-}
-
 ## Facebook social
 # VISIT https://developers.facebook.com/apps/1505837500618862/fb-login/settings/
 resource "auth0_connection" "facebook" {

tf/11-token-vault-connected-accounts.tf

@@ -0,0 +1,85 @@
+data "auth0_resource_server" "my-account" {
+  identifier = "https://${var.auth0_domain}/me/"
+}
+
+resource "auth0_client_grant" "donor-cli-grants" {
+  audience  = data.auth0_resource_server.my-account.identifier
+  client_id = auth0_client.donor-cli.id
+  scopes = [
+    // authentication methods
+    "read:me:authentication_methods",
+    "delete:me:authentication_methods",
+    "update:me:authentication_methods",
+    "create:me:authentication_methods",
+    // factors
+    "read:me:factors",
+    // connected_accounts
+    "create:me:connected_accounts",
+    "read:me:connected_accounts",
+    "delete:me:connected_accounts"
+  ]
+  subject_type = "user"
+}
+
+data "auth0_client" "donor-api-client" {
+  name = auth0_resource_server.donor_api.name
+}
+
+/*
+resource "auth0_client_grant" "donor-grants" {
+  audience  = data.auth0_resource_server.my-account.identifier
+  client_id = auth0_client.donor.id
+  scopes = [
+    // authentication methods
+    "read:me:authentication_methods",
+    "delete:me:authentication_methods",
+    "update:me:authentication_methods",
+    "create:me:authentication_methods",
+    // factors
+    "read:me:factors",
+    // connected_accounts
+    "create:me:connected_accounts",
+    "read:me:connected_accounts",
+    "delete:me:connected_accounts"
+  ]
+  subject_type = "user"
+}
+*/
+
+## social connection to connected accounts
+# VISIT https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/21003461-3662-430d-a8af-bc50abacfe6e/isMSAApp~/false
+# VISIT https://manage.auth0.com/dashboard/au/replate-prd/connections/social/con_nvtYytFItnYhBirE/settings
+resource "auth0_connection" "windowslive" {
+  name     = "Microsoft"
+  strategy = "windowslive"
+
+  authentication {
+    active = false
+  }
+
+  connected_accounts {
+    active = true
+  }
+
+  options {
+    client_id                = var.microsoft_client_id
+    client_secret            = var.microsoft_client_secret
+    strategy_version         = 2
+    scopes                   = [
+      "signin",
+      "offline_access",
+      "graph_calendars",
+      "graph_user"
+    ]
+    set_user_root_attributes = "on_each_login"
+  }
+}
+
+resource "auth0_connection_clients" "windowslive-clients" {
+  connection_id = auth0_connection.windowslive.id
+  enabled_clients = [
+    auth0_client.donor-cli.client_id,
+    auth0_client.donor.client_id,
+    data.auth0_client.donor-api-client.client_id
+  ]
+}

tf/providers.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     auth0 = {
       source  = "auth0/auth0"
-      version = ">= 1.32"
+      version = ">= 1.33"
     }
     cloudflare = {
       source  = "cloudflare/cloudflare"

tf/variables.tf

@@ -101,6 +101,7 @@ variable "linkedin_client_id" {
 variable "linkedin_client_secret" {
   type = string
   description = "LinkedIn social connection client_secret"
+  sensitive = true
 }
 
 variable "linkedin_user_email" {
@@ -117,13 +118,25 @@ variable "facebook_client_id" {
 variable "facebook_client_secret" {
   type = string
   description = "Facebook social connection client_secret"
+  sensitive = true
 }
 
 variable "facebook_user_email" {
   type = string
   description = "database user with a matching email for facebook social"
 }
 
+## Microsoft Social
+variable "microsoft_client_id" {
+  type = string
+  description = "Microsoft social connection client_id"
+}
+
+variable "microsoft_client_secret" {
+  type = string
+  description = "Microsoft social connection client_secret"
+  sensitive = true
+}
 
 ## AoB
 variable "default-password" {